Relating two standard notions of secrecy

Abstract

Two styles of definitions are usually considered to
express that a security protocol preserves the confidentiality of a
data { t s}. Reach-ability-based secrecy means that { t s} should
never be disclosed while equi-valence-based secrecy states that two
executions of a protocol with distinct instances for { t s} should
be indistinguishable to an attacker. Although the second formulation
ensures a higher level of security and is closer to cryptographic
notions of secrecy, decidability results and automatic tools have
mainly focused on the first definition so far.
This paper initiates a systematic investigation of situations where
syntactic secrecy entails strong secrecy.
We show that in the passive case, reachability-based secrecy
actually implies equivalence-based secrecy for signatures, symmetric
and asymmetric encryption provided that the primitives are
probabilistic. For active adversaries in the case of symmetric
encryption, we provide sufficient (and rather tight) conditions on
the protocol for this implication to hold.